A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.

Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.

The really interesting thing about these approaches, from a game theory perspective, is that they are all Club solutions, not Lojack solutions. There are two basic approaches to protecting your car from theft: The Club (or The Shield, or a car alarm, or something similar), and Lojack. The Club isn’t much protection against a thief who is determined to steal your car (it’s easy enough to drill the lock, or just cut the steering wheel and slide The Club off). But it is effective protection against a thief who wants to steal a car (not necessarily your car), because thieves are generally in a hurry and will go for the easiest target, the low-hanging fruit. The Club works as long as not everyone has it, since if everyone had it, thieves would have an equally difficult time stealing any car, their choice will be based on other factors, and your car is back to being as vulnerable as anyone else’s. The Club doesn’t deter theft, it only deflects it.

Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex password for your login — no one would recommend against that. (Another club solution is switching to less-used software on the assumption or more like the software’s claim that it’s perfect and more secure. This is why BeOS is more secure than Linux, ahem.)

In the car world, if someone figured out how to teleport entire cars to chop shops, The Club wouldn’t be so useful anymore. Luckily for manufacturers of The Club, this hasn’t happened. Online and in the software world, though, the equivalent happens almost daily. There is only one real solution. The only thing that I can promise will keep your blog secure today and in the future is upgrading.

WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

451 Pings

[…] It seems there’s a worm on the loose that is targetting older versions of WordPress – so spending the time to upgrade now could save you a lot of time should you get attacked. Full details of the situation from WordPress central: How to keep WordPress secure […]

[…] Mantenha seu WordPress atualizado Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. continua em wordpress.org […]

[…] you should stop what you are doing and head over to this post on the WordPress development blog: How to Keep WordPress Secure. It discusses a worm which is currently doing the rounds, attempting to exploit older versions of […]

[…] article telling on how to keep your wordpress more secure from attacks. You can read the full post here A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for […]

[…] from cyber-catastrophes, but, instead, a little good-old-fashioned digital self-help! From the WordPress Blog: WordPress is a community of hundreds of people that read the code every day, audit it, update it, […]

[…] Sharp­ish. ‘Old’ means any­thing prior to the cur­rent ver­sion, or the one before that, accord­ing to Matt Mul­len­weg. It’ll be inter­est­ing to see if folk jump ship over this. (Where to, I don’t […]

[…] them to the comment box of any affected posting. If you have a WordPress site, here are the latest instructions as to what to do (if you haven’t been hit, and haven’t upgraded, upgrade.) In the […]

[…] being hit – by a worm that affects any old (ie before 2.8.4) version.Details are here (and also on WordPress's site). As Matt Mullenweg, who has played a key part in the development and commercialisation of […]

[…] by Jayvee Fernandez If you haven’t yet upgraded to the latest version of WordPress 2.8.4, then it is high time you should. WordPress.org is under attack and the potential damage to its users is high. Matt writes, Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. […]

[…] Matt Mullenweg: Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it (How to keep your WordPress Secure). […]

[…] 2.8.4. A worm is doing a lot of damage to blogs that have not been updated, but according to WordPress, 2.8.4 is immune to this threat. If you haven’t updated to 2.8 yet, there are several steps […]

[…] WordPress %26rsaquo; blog » How to Keep WordPress Secure Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex … […]

[…] but sometimes it is very helpful, as in this case where I am a fan of WordPress and they linked to their blog where they wrote about the worm that is infecting old WordPress sites. This got me updating all my […]

[…] are reporting that their sites are being compromised by hackers. WordPress founder Matt Mullenwag has confirmed that older versions can be compromised by hackers through a security hole that has been patched in […]

[…] people are running 2.7 or lower. WordPress founder, Matt Mullenweg, posted on WordPress.org the importance of keeping your WP installation secure. Right now there is a worm making its way around old, unpatched versions of WordPress. This […]

[…] attack by a worm tailored to a weakness that existed in older versions of the blogging software. Here’s the scoop. Right now there is a worm making its way around old, unpatched versions of WordPress. This […]

[…] Codex. However, most of this effort could be in vain unless you ensure that you always try to run the latest version of WordPress. Updates are announced via your WordPress dashboard and can be installed automatically with just a […]

[…] WordPress › Blog » How to Keep WordPress Secure – Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. […]

[…] have been a number of vulnerabilities discovered in WordPress since it started, including one earlier this month. They all have pretty much the same objective: to try to get access to your blog in order to post […]

[…] WordPress %26rsaquo; blog » How to Keep WordPress Secure Club blog security solutions can be simple (like an .htaccess file) or incredibly complex (like two-factor authentication), and they can work, especially for known exploits. Club solutions can be useful, like using a strong or complex … Blog Marketing […]

[…] September 6: The new security problem we mentioned above is being widely discussed in posts like How to Keep WordPress Secure and Old WordPress Versions Under Attack. Although our customers have been protected against this […]

[…] A post by Matt Mullenweg about this hack on the WordPress Development Blog – I think the advice could be a little more rounded and pragmatic, personally. Not everyone can be 100% up to date. Upgrades need testing, and folk go offline for weeks at a time… […]

[…] info: Old WordPress Versions Under Attack WordPress Permalink & Rss problems How to Keep WordPress Secure This entry was written by Verdi, posted on September 6, 2009 at 1:19 pm, filed under The Web. […]

[…] you are running anything older than version 2.8.4, then I recommend you upgrade now. The official WordPress.org blog reported a particularly nasty worm making it’s way across independently hosted WP blogs. This […]

[…] under: Security, News, BloggingSeveral sites are reporting that a major attack on WordPress blogs started yesterday. The latest version of WordPress, 2.8.4, is not vulnerable to this particular […]

[…] that day, Matt Mullenweg published a post on the WordPress Dev Blog entitled – How To Keep WordPress Secure> There I learned that these recent attacks were different and were caused by a smart and malicious […]

[…] the information is published regarding new releases. Speaking of the development blog, please read Matt’s latest post which is a breath of fresh air regarding the latest round of attacks and why upgrading is an […]

[…] broke in and took things. Damit Euch das nich auch passiert, lest bitte dies und handelt danach: How to Keep WordPress Secure. Right now there is a worm making its way around old, unpatched versions of WordPress. This […]

[…] of commotion about upgrading WordPress to 2.8.4 due to a worm that is currently circulating. The WordPress blog reports: Right now there is a worm making its way around old, unpatched versions of WordPress. This […]

[…] in need of a 1/2 term break already! Returned to work to find WordPress had released a critical security update for their blogging engine. The last couple of releases have had an excellent in-built ftp upgrade […]

[…] the experience left him upset and digitally vulnerable. But what really disappointed Scoble was WordPress’ casual and, arguably, cavalier, reaction it could have been avoided if he had upgraded to version […]

[…] Post written by Matt (who has a great URL I might add) on the security of your blog. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible … […]

[…] has been a plethora of news stories about pre-2.8.4 versions of WordPress being hacked (Lorelle, Matt or the Guardian). The official way to protect yourself is to install an upgraded version of the […]

[…] What WordPress really needs is a better architecture that solves the two problems stated above and as such makes vulnerabilities like this recent one very unlikely, not ever more ad-hoc hacks. Unless the WordPress project is willing to spend considerably effort on the architecture, using WordPress for professional means will become an intolerable liability. Software Engineering is about long-term stability and dependability, established in the process, not about “if you update your WordPress every few days, you’re safe” (as Matt Mullenweg suggested). […]

[…] here, you might want to subscribe to the RSS feed for updates on this topic.There’s a serious security concern for WordPress users as a worm has been lurking the Internet wreaking havoc on unpatched versions of […]

[…] the latest updates, is to make sure your software is always safe. There is a worm that is attacking old WordPress installations. If you are not running WordPress 2.8.4 then please upgrade now.: This particular worm, like many […]

[…] blog due to a new worm that will hose your (precious) blog if it gets to you. You can read about it here. I have to admit that I have been putting this off as the upgrade docs, while not being anything […]

[…] From WordPress.org founder Matt Mullenweg… Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. Read on. […]

[…] the first things tackled was a backup and install of the latest version. There is a great post on why to upgrade on WordPress.org. A quick way to tell if you’ve been affected by the worm is to look at your users’ page […]

[…] to agree with him. While the timing may or may not be designed to take the heat of yet more hacking threats to WordPress.org users, I’m somewhat frustrated that WordPress lacks many basic features and […]

[…] some WordPress blogs that are using outdated versions of the blogging software, reports CNET News. According to the company, “This particular worm … registers a user, uses a security bug (fixed earlier in the […]

[…] WordPress and you haven’t upgraded for a while I would highly recommend upgrading. From the official WordPress blog (by Matt): A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true […]

[…] WordPress.org says this: Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. […]

[…] when I remember – once every few months, which is much to seldom. This was prompted by the recent security alert on WordPress. In case you still haven’t heard, there is a worm going around which is designed to attack […]

[…] are dead, that RSS represents a poor man’s technology. And yes, there’s even that whole “Wordpress hack attack” thing that’s been going on that WordPress needs to address. Fast. But just because […]

[…] like Lorelle on WordPress have offered. If you have a WordPress blog yourself, you shouldalso read Matt Mullenweg’s tips on securing your WordPress installation. And Google Webmaster Central Blog recommends to site owners some best practices against hacking […]

[…] found that the self-hosted WordPress blogs are under security risk and later Matt Mullenweg has to advised users to upgrade (Though, Robert Scoble still feel unsafe). The second big news was addition of a […]

[…] There is a worm making digging its way through older version of WordPress. It got started over the Labor day weekend and I expect it will continue until everyone’s WP is either infected or updated. Here is a link to Matt’s blog post on the worm. […]

A worm affecting older versions of WordPress has been getting lots attention in recent days. The worm takes advantage of a security flaw that allows it to register a new user, grant itself administrator privileges and wreak havoc with your permalink s…

[…] Keep Word Press Secure This entry was written by Buck, posted on September 8, 2009 at 8:44 pm, filed under Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback. « previous post […]

[…] to agree with him. While the timing may or may not be designed to take the heat of yet more hacking threats to WordPress.org users, I’m somewhat frustrated that WordPress lacks many basic features and […]

[…] tech story of last weekend was probably that WordPress installations around the world got hit by a nasty worm, so it was nice to see today that WordPress bounced back with an announcement that wordpress.com […]

[…] been reading a number of articles which have seriously questioned the future of WordPress after a nasty worm did the rounds, exposing anyone with an outdated version of WordPress. If anything, Scoble’s […]

[…] Posted in blog | Posted on 09-09-2009 | 0 Comments Tags: wordpress A couple months ago at WordCamp Chicago 2009, Matt Mullenweg had been asked by Dan Schulz on how to make WordPress more secure. Finally what he has said has been written in more detail at WordPress.org in the article How to Keep WordPress Secure. […]

Как оказалось, последние обновления WordPress были небесполезны ("Fortunately, because of the hard work of the WordPress open source community, the current (2.8.4) and most recent (2.8.3) versions are immune…"), ну а всем живущим …

[…] In case you missed it (though I’m not sure how you would) there was a scare for WordPress users out there that have been using an older version of the popular blogging engine about a worm going around an exploiting a hole to create a user, become an admin and quietly put spam links and malware into your posts without you knowing. The solution? Simple! Update right away!. […]

[…] that Tawnya Sutherland of VAnetworking discovered that one of her websites had been hacked due to a security breach in an older version of WordPress. Well, just before Tawnya made her announcement, I had posted my puzzling question on […]

[…] exposing yourself to security risks. Just this week, WordPress announced that there’s a security threat affecting certain versions of its software. If you’re running these versions, either you pay to have them upgraded (it can get tangly if […]

[…] exploits that take advantage of older installs of the software. Even the official development blog posted a response encouraging users to keep their blogs upgraded. Lorelle has posted some information about the […]

[…] dashboard, I noticed a link to a post by Matt Mullenweg, the founding developer of WordPress. The post itself is about how to keep WordPress (meaning your blog) secure from hackers, worms, and other malware. […]

[…] a huge fuss last weekend about a WordPress worm wreaking havoc on websites which hadn’t been upgraded by their owners. I am often in my WordPress admin panel and so I will see quite quickly that there […]

[…] Note from the Developers: Hi guys, we’ve had a few users who’s server configuration effected their upgrade. We would just like to remind you all that if you aren’t doing so, please backup your databases before upgrading. If your site is valuable to you, make sure you take the time to backup your database and files. As Matt recently said in his wordpress security blog post ‘A stitch in time saves nine’ […]

[…] about blogging! Maybe I wouldn’t make a come back this soon if Matt over there didn’t wrote that scary post about the recent WordPress worm. I’m invulnerable to it since I turned off user registration […]

[…] that do not keep their sites up to date are putting their reputations at risk. According to a recent announcement on the WordPress blog, a worm is making its way around the internet. The worm is exploiting […]

[…] now I’m going to tell you that I did find a blog post worth passing on. It’s from Matt, over at wordpress.org, on how to keep wordpress secure. But don’t just stay on the first paragraph. This is […]

Matt has an interesting blog post at the WordPress blog about why you should keep your WordPress version up-to-date (as if you needed another reason). Matt compares 3 types of WordPress security advice: snake oil. Club solutions and real advice (see hi…

[…] Don’t you just LOVE it when there’s a blogger you read (or watch) and they blog for a while and then they just disappear for a few weeks? Sure, they’re on twitter, and they utter now and again (despite Utterli having tremendous telephone interface issues), and they pop up their head every once in a while to do a blog upgrade or two (if you haven’t heard yet, all you WordPress users should make sure you upgrade). […]

[…] to understand what was going on, (Thank you to my Twitter friends, and especially you Lorelle!) and what to do about it… it was time to go through each and every site I run and/or manage for my clients. A daunting […]

[…] It then makes itself an admin and uses JavaScript to hide itself when you look at the users page. It cleverly clean up after itself and usually goes unnoticed while it apparently inserts hidden spam and malware into your old posts. wordpress.org/development/2009/09/keep-wordpress-secure/ […]

[…] web site owners. While the official WordPress development blog states that the WordPress team is doing everything they can, others have been wondering if more could be done. I would like to get a discussion going here at […]

[…] How to Keep WordPress Secure 5 de Setembro de 2009 A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later. Right now there is a worm making its way around old, unpatched versions of WordPress. […] […] […]

[…] web site owners. While the official WordPress development blog states that the WordPress team is doing everything they can, others have been wondering if more could be done. I would like to get a discussion going here at […]

[…] very vulnerable to this worm. Matt, the co-founder of WordPress, wrote a blog entry on how to keep your WordPress secure and if you have not read it, I suggest that you read it. He explained everything […]

[…] How to Keep WordPress Secure 5 septembre 2009 A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later. Right now there is a worm making its way around old, unpatched versions of WordPress. […] […] […]

[…] major vulnerability announcements from Microsoft, Adobe, and now even the popular website hosting platform, WordPress, I decided it was definitely time to sit down with my friends on the WBIR morning show for a […]

[…] shell (takes a little more expertise, but allows you to backup your wordpress directory first). Keeping wordpress secure may seem daunting, or troublesome, but remember that your online presence is at risk, and […]

[…] very frequent recently and another latest version WordPress 2.8.4 has been released. The purpose WordPress team upgraded WordPress version to 2.8.4 was because there is a worm making its way around old, […]

[…] Computer crime is rampant and quite profitable. Websites have long been defaced for fun or viruses and worms released to cause disruptions, Now there’s an incentive for criminals to avoid detection, to add your machines to a botnet for hire, or hide spam and ad links in your WordPress blog. […]

[…] How to Keep WordPress Secure September 5, 2009 A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later. Right now there is a worm making its way around old, unpatched versions of WordPress. […] […]

[…] WordPress trackback With all the security problems around previous versions of WordPress platform, it is a great idea to immediately upgrade WP installations to the latest available version. Take that, […]

[…] we would have avoided this outcome. You see – we should have known and taken action when the founder of WordPress alerts both aforementioned lists that… “A stitch in time saves nine. I couldn’t sew my way […]